Datatilsynet - DT-20/01896

From GDPRhub
Datatilsynet - DT-20/01896
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 5(2) GDPR
Article 6(1)(f) GDPR
Article 24 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Decided: 07.12.2020
Published: 07.01.2021
Fine: 75000 NOK
Parties: Gveik AS
National Case Number/Name: DT-20/01896
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Norwegian
Original Source: Datatilsynet (in NO)
Initial Contributor: Rie Aleksandra Walle

The Norwegian DPA (Datatilsynet) fined Gveik AS NOK 75,000 (€7,200) for subjecting the complainant to a credit rating without a legal basis under Article 6(1)(f) GDPR and for not adhering to the accountability principle as per Article 5(2). The DPA also requires that the company implement internal controls of their credit rating process as per Article 24.

English Summary[edit | edit source]

Facts[edit | edit source]

A representative acting on behalf of Gveik AS conducted a credit rating on the complainant's sole proprietorship, despite the latter having no customer relationship or any other affiliation with either the representative or the company. The representative claimed that the credit rating was conducted by mistake and that they had tried to cancel it, unsuccessfully. The DPA noted that the credit rating seems to have been conducted due to "nosiness".

Gveik AS didn't have written routines for credit ratings, because these are only conducted for new customers and customers that "request many new services".

Dispute[edit | edit source]

Did Gveik AS have legal grounds for processing the personal data of the complainant for a credit scoring, as per Article 6(1)(f)? And did they have sufficient internal controls for the use of credit scoring in their business?

Holding[edit | edit source]

No, Gveik AS did not have legal grounds for processing the personal data of the complainant for credit scorings, as per Article 6(1)(f). For this offense, the company was fined NOK 75,000.

They also didn't have sufficient internal controls for the use of credit scoring in their business, as per Article 24. For this offense, the company is required to establish corresponding internal controls and submit a written confirmation and actual documentation of the internal controls, to the DPA.

The DPA also noted that Gveik AS likely didn't have sufficient technical and organizational security measures, but didn't find strong enough evidence to add further penalties for this.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.

Decision on order and infringement fee - Credit assessment without legal basis

1 Introduction

We refer to our notice of decision on order and infringement fee of 26 June 2020.

We requested any comments from you by 7 August 2020. We cannot see that you have submitted comments on the notification, and we therefore still find reason to make a decision.

2. Decision on order and infringement fine

The Data Inspectorate makes the following decisions:

Pursuant to Article 58 no. 2 letter of the Privacy Ordinance, Gveik AS, org. No. 917 337 772, to pay an infringement fee to the Treasury of NOK 75,000 - seventy-five thousand - for obtaining a credit assessment without a legal basis under Article 6 of the Privacy Ordinance, and non-compliance with the principle of liability in Article 5 (2) of the Privacy Ordinance.

2. Pursuant to Article 58 no. 2 letter d of the Privacy Ordinance, Gveik AS is ordered to establish internal control and routines for credit assessments (cf. Article 24 of the Privacy Ordinance), as this was lacking at the time of the control.

The fulfillment deadline for decisions on infringement fines is four weeks from the decision is final, cf. the Personal Data Act § 27. This means four weeks after the appeal deadline has expired.

The deadline for completing the orders is 11 January 2021. By this deadline, you must send us a written confirmation that the order has been completed.

This is an individual decision that can be appealed in accordance with the rules of the Public Administration Act, cf. the Public Administration Act § 28. The deadline for appealing is three weeks after this letter has been received.

The Privacy Board is the appeal body, but any appeal must be sent to the Data Inspectorate. A complaint will not normally have a suspensive effect.

As part of the case, you have the right to familiarize yourself with the case documents in accordance with the Public Administration Act §§ 18-19.

3. The actual background of the case

The Data Inspectorate received a complaint dated 29 March 2019 that Gveik AS had performed and credit assessment of [edited] (hereinafter "complaints") without any objective need. The complaint was sent from [edited].

Complainants did not have a contractual or customer relationship with Gveik AS that could provide a legal basis for the credit assessment.

[edited]

Gveik AS writes in its statement dated 29 September 2019 on the credit assessment was carried out by a representative of Gveik AS by mistake. The representative was [edited] and did not represent Gveik AS in this case.

The credit assessment was performed in connection with [edited]. Gveik AS 'representative looked up complaints on the internet, and discovered that she had a sole proprietorship. The representative next sought complaints in Gveik AS 'system, and found complaints with the sole proprietorship. The representative was in the process of making a credit assessment, but was informed that complaints would be informed if [edited] proceeded, as this was a sole proprietorship. The representative pressed "cancel" on the mobile, and closed the page. In retrospect, it has turned out that the credit assessment was nevertheless carried out.

Gveik AS writes that this is unfortunate, and that it can be easy to press incorrectly on the mobile phone, as the key options "cancel" and "continue" are placed close together.

Gveik AS has no written routines for credit assessment, and since credit assessment can be carried out for new customers and customers who want more services. The routines for credit assessment are clearly stated on the page where credit assessments are carried out, and are regulated in the contract with the credit information business.

[edited] 

4. Legal background

4.1. Legal basis for obtaining a credit rating

Obtaining credit information about individuals and sole proprietorships ("the registered persons") constitutes a processing of personal data, cf. the Privacy Ordinance Article 4 no. 2 and the Personal Data Act § 1.

Article 6 (1) of the Privacy Regulation requires that all processing of personal data has a legal basis.

When an undertaking is to obtain credit information about the data subject without the consent or credit assessment is strictly necessary for the implementation of an agreement with the data subject, Article 6 (1) (f) is the most appropriate basis for processing.

Article 6, paragraph 1, letter f requires that the collection of credit information is "necessary" in order to safeguard a "legitimate interest" which, after a balance of interests, outweighs the interests of the individual's privacy.

The legitimate interest must be legal, clearly defined in advance, real and objectively justified in the business. Which interests meet this depends on an assessment where, among other things, what benefits the company achieves with the treatment, how important the interest is for the company, or whether the treatment has a public interest or safeguards non-profit interests that benefit more are relevant factors.

Furthermore, the treatment in question must be "necessary" for purposes related to the legitimate interest. This means that the company must consider whether it can achieve its purpose in a way that better safeguards privacy. One must therefore choose the treatment that is least invasive.

Thereafter, the business must make a balance of interests to determine whether the individual's privacy outweighs the business' legitimate interest. The type of information that is relevant to process, for example whether obtaining the relevant information may be perceived as offensive, and what expectations the individual has for the processing of the personal data, are relevant factors in the balancing of interests.

The now repealed Personal Data Regulations § 4-31 contained an additional condition that credit information could only be obtained unless the company had a "factual need" for the credit information. The regulations § 4-3¹ are continued in accordance with the regulations on transitional rules on the processing of personal data § 4.²

However, the Privacy Ordinance does not provide national room for maneuver for special regulation of the collection of credit information. We therefore believe that the requirement for "factual need" does not constitute an additional condition to Article 6, paragraph 1, letter f. letter f. We therefore believe that previous administrative practice regarding the requirement of objective need is still relevant when assessing Article 6 no. 1 letter f. 4.2. Internal control

Pursuant to Article 24 of the Privacy Regulation, companies must be able to demonstrate that they process personal data in accordance with the law. If it is in a reasonable relation to the processing activities, the company must implement appropriate guidelines for the protection of personal data.

Credit rating is an intrusive treatment against privacy. Therefore, the company must in principle be able to document internal routines or processes, so-called internal control, which meet the requirement for a processing basis for credit assessment.

The routines must describe when and how credit information is to be obtained, deletion routines and how access is to be provided. Furthermore, the company must have routines for handling deviations.

5. The Data Inspectorate's assessment

5.1. Duty to internal control and justification for orders

According to the report, one of the reasons why Gveik AS lacks written routines is that credit assessments were only made by new customers and by customers who suddenly had many services.

However, Gveik AS is obliged to assess whether there is a legal basis for a credit assessment, regardless of whether it concerns a company, a sole proprietorship, or an individual.

When assessing the credit of individuals and sole proprietorships, there must be a legal basis in accordance with Article 6 of the Privacy Ordinance. The company is responsible for ensuring that the processing has a legal basis, cf. of companies, it is important to be aware that credit assessments of sole proprietorships will constitute a processing of personal data.

According to the report, Gveik AS uses a representative who is given access to perform credit assessments, despite the fact that Gveik AS has not been registered with any employees after the Data Inspectorate's investigations. As Gveik AS has stated the case, the representative does not appear to have been aware of the regulations. This suggests that Gveik AS must establish written routines for credit assessments.

As Gveik AS uses a representative who is given access to perform credit assessments on behalf of the company, it is important that the individual representative is familiar with the rules for credit assessment. In the Data Inspectorate's assessment, the establishment of routines could therefore have a preventive effect against unlawful credit assessments being carried out later. Taking further into account that credit assessment is an intrusive measure against privacy, we believe Gveik AS must establish internal control and routines for credit assessments in accordance with the Privacy Ordinance Article 24. The Norwegian Data Protection Authority has the competence to order the data controller to ensure that processing activities take place in accordance with the Privacy Ordinance, cf. the Privacy Ordinance Article 58 no. 2 letter d. This is the background for the order to prepare routines for credit assessment. Gveik AS must prepare routines that ensure that credit assessments only take place when the requirements in the Privacy Ordinance are met.

5.2. Legal basis for obtaining the credit rating

Based on the information in the case, the Data Inspectorate assumes that there was no contractual relationship between the complainant and Gveik AS, and that the complainant did not consent to the credit assessment.

The relevant legal basis is the Privacy Ordinance, Article 6 (1) (f). According to the provision, obtaining credit information may be lawful if it is "necessary" for purposes related to "legitimate interests", and the interest outweighs the complainant's privacy considerations.

The credit assessment was carried out on the basis of [edited] The credit assessment is therefore characterized by curiosity, which will not constitute a "justified" interest. We also understand Gveik AS so that the credit assessment should not have been carried out.

Furthermore, Gveik AS, through their representative, has obtained credit information about an individual without any kind of customer relationship, contact or other connection to their business. The legitimate interest must be objectively justified in the business, and in our case the collection took place for a purpose completely outside the business' operations. Complainants had no expectation that the company would process her credit information, and it was not foreseeable for complainants at the time of collection that Gveik AS would process her credit information.

In our opinion, there was no "justified interest" in the credit assessment.

It is therefore not necessary for the Data Inspectorate to assess whether the credit assessments were "necessary" for the purpose and whether the company's legitimate interest exceeded the considerations for the complainant's privacy. The conclusion is that Gveik AS lacked a basis for processing the credit assessment pursuant to Article 6. 5.3. General information on infringement fines The Data Inspectorate has the competence to impose infringement fines in accordance with the Privacy Ordinance, Article 58, paragraph 2, letter i. In accordance with the Supreme Court's case law (cf. Rt. 2012 page 1556), we assume that infringement fines are to be regarded as penalties in accordance with Article 6 of the European Convention on Human Rights. The case and the question of imposing an infringement fee have been assessed on the basis of this evidentiary requirement. In this context, we refer to Chapter IX of the Public Administration Act on administrative sanctions. An administrative sanction means a negative reaction that can be imposed by an administrative body, which is directed at a violation of law, regulation or individual decision, and which is regarded as a punishment under the European Convention on Human Rights (ECHR). For companies, the debt assessment is unique. Section 46, first paragraph, of the Public Administration Act states: When it is stipulated in law that an administrative sanction may be imposed on an enterprise, the sanction may be imposed even if no individual has shown guilt. Prop. 62 L (2015-2016) page 199 states about § 46: The wording that ‘no individual has shown guilt’ is taken from the section on corporate punishment in the Penal Code § 27 first paragraph and shall be understood in the same way. The responsibility is therefore basically objective. 5.4. Our assessment of whether an infringement fee should be imposed

In this case, it has been documented that Gveik AS carried out a credit assessment of complaints, and we believe that there is a clear overriding probability that this collection lacked a legal basis.

In assessing whether to impose an infringement fine, we shall take into account the elements set out in Article 83 (2). weight.

Here we will assess the relevant aspects on an ongoing basis.

a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the treatment concerned and the number of data subjects affected, and the extent of the damage they have suffered;

The principle of legality in Article 5 (1) of the Privacy Regulation and the requirement for a basis for processing in Article 6 is one of the basic requirements for the processing of personal data.

Credit information is a type of personal information that is particularly worthy of protection. This also applies to information about sole proprietorships as the owner is directly identified with the company and is directly linked to the owner's personal finances.

A credit rating is the result of a compilation of personal information from many different sources, and shows a number that indicates the probability that a person will pay a claim. A credit rating will also show details about individuals' personal finances, including any payment remarks, voluntary mortgages and debt ratio. This is private information that private individuals have an expectation that is not obtained by companies unless it is objectively justified in their relationship with them. The violations are therefore serious, and indicate that an infringement fee is imposed.

Furthermore, the Data Inspectorate is of the opinion that the company's action had an intrusive effect on complaints, considering that the infringement occurred on the basis of [edited] without connection to Gveik AS.

In the mitigating direction, the fact that an illegal credit rating will not be a breach over a longer period pulls. On the other hand, the damage has already occurred and it cannot be reversed after the personal data has been obtained illegally.

Gveik AS 'representative is said to have tried to interrupt the credit assessment, and closed the page before [edited] before becoming acquainted with the content of the credit assessment. The Data Inspectorate has no grounds for doubting this information. It therefore pulls in a somewhat mitigating direction that Gveik AS should not have become more familiar with the content of the credit assessment.

b) whether the infringement was committed intentionally or negligently

Gveik AS writes that the credit assessment was carried out by accident, as Gveik AS 'representative tried to cancel the operation. This points in the direction that Gveik AS did not carry out the wrongful credit assessment intentionally.

However, a credit assessment was carried out in a negligent manner. As the representative had to use Gveik AS 'access, we believe the representative must have known that obtaining a credit rating should be linked to the company's needs, and not his own curiosity. In our opinion, this is something Gveik AS could have averted by having routines for credit assessment, by communicating the routines to any representatives who should have access, and by having access control to ensure that only those with objective needs have access to the system.

c) any measures taken by the data controller or data processor to limit the damage suffered by the data subjects;

Gveik AS has not stated that measures have been taken to limit the damage suffered by the registered person.

(d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented in accordance with Articles 25 and 32;

The Data Inspectorate emphasizes that Gveik AS lacks technical and organizational measures to ensure and demonstrate that collection of credit assessments is carried out in accordance with the Privacy Ordinance. See Article 24 on the responsibilities of the controller.

Gveik AS has also written that the person who performed the credit assessment was a representative, despite the fact that the company does not have registered employees. It can therefore be questioned whether Gveik AS has sufficient access control in its systems, cf. Article 32. The case is not sufficiently informed for us to emphasize any lack of access control.

However, we draw Gveik AS 'attention to the fact that Article 32 sets out an obligation to have sufficient personal data security in its solutions, in accordance with a risk assessment. This includes a requirement for confidentiality, so that the company must ensure that only those with objective and service needs have access to personal information.

e) any previous violations committed by the data controller or data processor

The Norwegian Data Protection Authority is not aware of any previous violations.

(f) the degree of cooperation with the supervisory authority in order to remedy the infringement and reduce the possible negative effects of it;

Gveik AS apologizes for the incident, and has helped to inform the case. We believe it is mitigating that Gveik AS has apologized for the incident and acknowledged that it was incorrect, as this facilitates the Data Inspectorate's case processing. Beyond this, we will not emphasize cooperation considerations. According to guidelines from the Article 29 Working Party, adopted by the Privacy Council ("EDPB"), it is not appropriate to place mitigating emphasis on co-operation which is in any case

required by the Privacy Ordinance.³

g) the categories of personal data affected by the infringement

Special categories of personal data (sensitive personal data) are not affected by the violation in our case. However, information on salary, debt and creditworthiness is information that has a special need for protection due to its private nature. This argues for the imposition of infringement fines.

(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the data controller or data processor has notified the infringement;

The Norwegian Data Protection Authority does not find this aspect relevant.

(i) if the measures referred to in Article 58 (2) have previously been taken against the data controller or data controller concerned in respect of the same subject matter, that such measures are complied with;

The Norwegian Data Protection Authority is not aware that measures have previously been taken against the company with regard to the same subject matter.

(j) compliance with approved standards of conduct in accordance with Article 40 or approved certification mechanisms in accordance with Article 42;

The Norwegian Data Protection Authority does not find this aspect relevant.

k) and any other aggravating or mitigating factor in the case, e.g. financial benefits obtained, or losses avoided, directly or indirectly, as a result of the infringement

The Data Inspectorate cannot see that Gveik AS has obtained any benefits as a result of the violation.

Based on the assessment above, the Data Inspectorate concludes that an infringement fee should be imposed. The next question is the size of the fee.

5.5. The amount of the infringement fee

In determining the fee, the points in section 5.4 above shall be given weight, cf. Article 83 (2).

The violations occurred after the Privacy Ordinance came into force on 20 July 2018. According to the previous regulations, the fine level was NOK 75,000 for cases concerning credit information. See for example PVN-2015-14 Viken Finance, PVN-2016-07 Synchronous Media, PVN-2016-09 Codex lawyer, PVN-2017-01 Hereid Hus and PVN-2017-02 Bertram Bil.

The Privacy Ordinance stipulates a higher ceiling for the calculation of infringement fines than that which applied under the Personal Data Act of 2000.

It follows from Article 83 (1) of the Privacy Ordinance that the infringement fee shall be determined concretely so that in each individual case it is effective, is in a reasonable proportion to the infringement and has a deterrent effect.

The main purpose of the infringement fee is contraception, ie that the risk of being charged a fee shall have a deterrent effect and contribute to increased compliance with the regulations.⁴

By Bergseng Skullerud et al., 2019, the commentary to the Privacy Ordinance, page 347, it appears:

Contraceptive considerations dictate that the fee for an offense must be set so high that it is actually perceived as an evil by the offender. This means that the offender's financial ability should be important in the assessment, so that the fee becomes higher the stronger the offender's carrying capacity. […] When assessing the financial sustainability of an enterprise, it may be relevant to look at the enterprise's total global annual turnover in the preceding financial year, cf. art. 83 Nos. 4 and 5.

And further:

The consideration of ensuring an individual assessment in each individual case indicates that the supervisory authorities should avoid establishing standardized fee rates. This applies even if national law allows for standardized rates, cf. the Public Administration Act § 43.

The fee must therefore be measured specifically in each case, and act as a deterrent for the individual business.

Article 83 (5) of the Privacy Regulation sets a higher maximum amount for a fee when the case concerns violations of the basic principles for the processing of personal data in accordance with Articles 5 and 6 of the Privacy Regulation.

In our case, Gveik AS lacked a basis for processing credit information on complaints (the principle of legality).

Otherwise, the factors we have pointed out in section 5.4 above argue for a fee of a certain size. In an aggravating direction, we place special emphasis on the fact that the credit assessment is characterized by curiosity, and that the company lacked technical and organizational measures for compliance with the privacy regulations (the principle of liability). Lack of guidelines for who and when credit assessments can be carried out has facilitated the misuse of the company's assets.

In a mitigating direction, we emphasize that the company has acknowledged that the credit assessment should not have been carried out, and that the credit assessment should have been interrupted.

We also emphasize the company's finances. According to publicly available documents, Gveik AS is registered with a turnover of NOK 49,000 in 2017, and an annual profit of NOK -46,000. The business is registered with equity of NOK 80,000 and a very good solvency. Since we sent the notice, Gveik AS 'accounts for 2019 have become publicly available. According to the accounts from 2019, operating revenues were NOK 0, and the annual result NOK -30,000.

Low turnover and a negative annual result constitute mitigating circumstances. At the same time, the seagull fee is set so high that it is effective and achieves a sufficient deterrent effect. After an overall assessment of the elements in the case that we have reviewed above and the seriousness of the violation, we have come to the conclusion that a violation fee of NOK 75,000 is considered correct.

6. Publicity, transparency and duty of confidentiality

We will inform you that all the documents are in principle public, cf. the Public Access to Information Act § 3. If you believe there is a basis for exempting all or parts of the document from public access, we ask you to justify this.

The Norwegian Data Protection Authority has a duty of confidentiality regarding who has complained to us, and about the complainant's personal circumstances. The duty of confidentiality follows, among other things, from the Personal Data Act § 24 and the Public Administration Act § 13. As a party to the case, you may nevertheless be made aware of such information by the Data Inspectorate, cf. the Public Administration Act § 13 b first paragraph no. , cf. the Public Administration Act § 18.

We point out that you have a duty of confidentiality regarding information you receive from the Data Inspectorate about the complainant's identity, personal circumstances and other identifying information, and that you can only use this information to the extent necessary to safeguard your interests in this case, cf. Public Administration Act § 13 b second paragraph. We also point out that breaches of this duty of confidentiality can be punished according to the Penal Code § 209.

With best regards